Darktrace /NETWORK Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Darktrace /NETWORK is a Network Detection and Response (NDR) offering. In Cisco XDR, we enable Darktrace users to leverage it in investigations and for response actions. In investigate, Darktrace can respond with detection details for queried hostnames, IP and MAC addresses, and Darktrace DeviceIDs. The Darktrace integration can also be used in Automation and from the pivot menu to quarantine and unquarantine devices by hostname, Darktrace DeviceID, and IP or MAC address.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Darktrace /NETWORK integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Darktrace /NETWORK integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Darktrace /NETWORK integration in Cisco XDR.

You can perform the following tasks after you integrate Darktrace /NETWORK with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP addresses, hostnames, and Darktrace device IDs and the results will include any records of them found in your Darktrace /NETWORK. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Darktrace /NETWORK has recent information. For details, see Investigate.

  • Pivot Menu - Install the Darktrace /NETWORK workflows from the Automation Exchange to use the Pivot menu to access actions in Darktrace /NETWORK. Available actions include quarantining a device in Darktrace/NETWORK.

  • Automation:

    • Atomic Actions - The atomic actions for Darktrace can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Darktrace /NETWORK can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Darktrace target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Darktrace /NETWORK and is included in the Cisco Managed Incident Playbook can be used to contain assets (devices). See Containment on the Response page.